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DNI Exploitation System/Analytic Framework 

Performs strong (e.g. email) and soft (content) selection 

Provides real-time target activity (tipping) 

"Rolling Buffer" of ~3 days of ALL unfiltered data seen by 
XKEYSCORE: 

• Stores full-take data at the collection site - indexed by meta-data 

• Provides a series of viewers for common data types 

Federated Query system - one query scans all sites 

• Performing full-take allows analysts to find targets that were 
previously unknown by mining the meta-data 
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• Small, focused team 

• Work closely with the analysts 

• Evolutionary development cycle (deploy early, deploy often) 

• React to mission requirements 

• Support staff integrated with developers 

• Sometimes a delicate balance of mission and research 
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• Massive distributed Linux cluster 

• Over 500 servers distributed around the world 

• System can scale linearly - simply add a new 
server to the cluster 

• Federated Query Mechanism 
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User Queries 



Query 



Query 




Query 



FORNSAT site 



F6 Site 1 



F6 Site 2 





SSO site 
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Approximately 150 sites 
Over 700 servers 
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Processing Speed 




TURMOIL/TURBULENCE 
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• Can look at more data 

• XKEYSCORE can also be configured to 
go shallow if the data rate is too high 



i 
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Strong Selection itself give us only a very 
limited capability 

A large amount of time spent on the web is 
performing actions that are anonymous 



We can use this traffic to detect anomalies 
which can lead us to intelligence by itself, or 
strong selectors for traditional tasking 
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Plug-ins extract and index metadata into 
tables 

[sessions] ^ [processing engine] ^ (database) 4 ^ (user queries) 



Session 



__ _______ 
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Plug-in DESCRIPTION 



F-m^il AHHrPQ^PQ 

L_ 1 1 1 CI 1 1 AALJ VJ 1 CjjCj 


TnHpypc p\/pr\/ F-m^il aHHrocc coon in a coccinn K\/ 
ii iucacj cvci y l_ 1 1 1 d 1 1 duu I ebb bct.1 1 III d bcbblUM uy 

both username and domain 
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- - - -] 
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and extension 
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TnHoYOC n\/nn/ r^i |\| T coccinn ml lort"oH P\ -j 4- -a i r- 
11 lUCAcb cVcriy L/I\ll bcbblUM LUIIcLLcU. L/dtd IS 

indexed by the standard N-tupple (IP, Port, 
Casenotation etc.) 


HTTP Parser 


Indexes the client-side HHP traffic (examples to j 
follow) 


Phone Number 


Indexes every phone number seen in a session (e.g. 
address book entries or signature block) 


User Activity 


Indexes the Webmail and Chat activity to include 
username, buddylist, machine specific cookies etc. 
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"3/ hat Can Be Stored? 
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Anything you wish to extract 

• Choose your metadata 

• Customizable storage times 

• Ex: HTTP Parser 



FM IP 58.65.157.5 TO IP 64.233.161.1471 



GET /search? hi =en&q=i si amabad&metal HTTP/1.0 

Accept: image/giT, image/x-xpi tmap, image/jpeg, image/pjpeg, appl ication/vnd. ms^ 

appl ication/msword, appl ication/x-sh ockwave-f lash, */* 

Keterer: nttp : //www. goog le. com. pK/ I . ' . 

^LLypL - Ld i iyudyy- Sil-ub — 1 No username/strong selector 



User-Aaent: Mozilla/4.0 (compatible; MSIE b.U; Windows NT b.i; 



Host: www. goog 



[S&lsKrcnsiasisosOTfiiLi 



le. com. pi 

a34384e2f6 :TM=116$503483 : LM=116850348 3 : S=KKzZb3kPcw4vNxGt 



Via: 1.0 proxy. bnu.gol . net. pk:8080 (sqind/2. 5 . STABLE13) 
X-Forwarded-For : 58.65.15^136 

Connection: keep-alive 



■ 
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• How do I find a strong-selector for a known 
target? 

• How do I find a cell of terrorists that has no 
connection to known strong-selectors? 

• Answer: Look for anomalous events 

• E.g. Someone whose language is out of place for the 
region they are in 

• Someone who is using encryption 

• Someone searching the web for suspicious stuff 
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Show me all the encrypted word 
documents from Iran 

Show me all PGP usage in Iran 

• Once again - data volume too high so 
forwarding these back is not possible 

• No strong-selector 

• Can perform this kind of retrospective 
query, then simply pull content of interest 
from site as required 
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Show me all the VPN startups in 
country X, and give me the data so I 
can decrypt and discover the users 

• These events are easily browsable in 
XKEYSCORE 

• No strong-selector 




XKEYSCORE extracts and stores authoring 
information for many major document types - can 
perform a retrospective survey to trace the 
document origin since metadata is typically kept for 
up to 30 days 

No other system performs this on raw unselected 
bulk traffic, data volumes prohibit forwarding 
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• Traditionally triggered by a strong-selector 
event, but it doesn't have to be this way 

• Reverse PSC - from anomalous event back to 
a strong selector. You cannot perform this 
kind of analysis when the data has first been 
strong selected. 

• Tie in with Marina - allow PSC collection after 
the event 
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• My target speaks German but is in 
Pakistan - how can I find him? 

• XKEYSCORE's HTTP Activity plugin extracts 
and stores all HTML language tags which 
can then be searched 

• Not possible in any other system but 
XKEYSCORE, nor could it be - 

• volumes are too great to forward 

• No strong-selector 
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• My target uses Google Maps to scope target 
locations - can I use this information to 
determine his email address? What about th 
web-searches - do any stand out and look 
suspicious? 

• XKEYSCORE extracts and databases these events 
including all web-based searches which can be 
retrospectively queried 

• No strong-selector 

• Data volume too high to forward 
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.©tument Trackin 



I have a Jihadist document that 
has been passed around through 
numerous people, who wrote this 
and where were they? 
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fefcWfcstmq Document Disco 



Show me all the Microsoft Excel spreadsheets 
containing MAC addresses coming out of Iraq 
so I can perform network mapping 



• New extractor allows different dictionaries to run on 
document/email bodies - these more complex 
dictionaries can generate and database this 
information 

• No strong-selector 

• Data volume is high 

• Multiple dictionaries targeted at specific data types 
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Show me all the exploitable machines in 
country X 



• Fingerprints from TAO are loaded into 
XKEYSCORE's application/fingerprintID 
engine 

• Data is tagged and databased 

• No strong-selector 

• Complex boolean tasking and regular 
expressions required 
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of new target web services 



New web services every day 

Scanning content for the userid 
rather than performing strong 
selection means we may detect 
activity for applications we 
previously had no idea about 
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• Have technology (thanks to R6) - for 
English, Arabic and Chinese 

• Allow queries like: 

• Show me all the word documents with 
references to IAEO 

• Show me all documents that reference 
Osama Bin Laden 

• Will allow a 'show me more like this' 
capability 
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• High Speed Selection 

• Toolbar 

• Integration with Marina 

• GPRS, WLAN integration 

• SSO CRDB 

• Workflows 

• Multi-level Dictionaries 
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• High speeds yet again (algorithmic and Cell 
Processor (R4)) 

• Better presentation 

• Entity Extraction 

• VoIP 

• More networking protocols 

• Additional metadata 

• Expand on google-earth capability 

• EXIF tags 

• Integration of all CES-AppProcs 

• Easier to install/maintain/upgrade 
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